Organizations of all sizes, across all regions, and in all business sectors face an evolving risk from cyber criminals.1 As businesses have become increasingly dependent upon technology, criminals have shifted from theft of physical assets to the theft of electronic information. The growing use of technology-enabled processes exposes businesses to cybercrime -- from direct theft of data (leading to the potential loss of financial assets) to the theft of personal data (that can be used to assemble an attack on financial assets). Cybercrime can threaten processes from point-of-sale purchases by debit/credit cards in the retail environment, to ATM transactions in the banking environment, to e-commerce or on-line sales, and to electronic business communications.
Recent studies illustrate the wide-ranging threat of electronic crime. In 2017, more than three of four (78%) respondents to the U.S. State of Cybercrime Survey detected security events in the preceding twelve months, and more than one third (36%) reported that the number of security incidents had increased over the previous year. The average number of incidents is also significant, with increasing monetary loss.
While cyber criminals employ several measures to breach information security defenses and seize sensitive business information, technical security measures implemented in response to increased regulation (as a result of Sarbanes-Oxley, Gramm-Leach-Bliley, and the Health Insurance Portability and Accountability Act) make direct pure technological attacks more difficult and costly.
As a result, cyber criminals have shifted their focus away from such pure technological attacks and instead have increasingly attacked employees through the use of “social engineering” – a collection of techniques used to manipulate people into performing actions or divulging confidential information. Social engineering is not a new concept. A social engineer is nothing more than a con man who uses technology to swindle people and manipulate them into disclosing passwords or bank information or granting access to their computer.
According to the FBI, from October 2013 to May 2018 there were more than 41,000 victims of Business Email Compromise scams – a form of social engineering attacks – reported from all 50 states in the United States, totaling $2.9 billion in monetary losses. The number of global incidents is growing at an alarming rate, with an increase of 136% from December 2016 to May 2018 in 150 countries.2
Many businesses mistakenly believe that traditional commercial crime policies cover all cyber-related losses. Although traditional commercial crime policies contain a computer fraud and funds transfer fraud insuring agreement, courts interpreting such policies have generally distinguished between incidents (1) where a thief hacks the insured’s computer systems and, without any action by the insured, uses the computer to steal the insured’s property (either directly by transferring funds using the insured’s computer system or by convincing the insured’s bank to transfer the insured’s funds) and incidents (2) where the insured voluntarily transfers funds.
Depending upon the precise terms and conditions of the coverage provided, courts have generally held that the latter claims – many of which arise from social engineering – are not covered.
Computer Fraud Insuring Agreements
Traditional computer fraud insuring agreements generally limit coverage to direct loss resulting from “theft” through the use of any computer system.”3 Many claims involving social engineering do not involve the fraudulent withdrawal of funds from the insured’s account, but instead involve an authorized withdrawal induced by fraud.4 Courts have held that such a loss is outside the scope of coverage typically afforded by the computer fraud insuring agreement because it does not arise “directly” from the use of any computer to fraudulently cause a transfer of property; it arises from an authorized transfer of funds.5 The mere fact that the insured received a fraudulent email inducing it to take action does not establish the use of any computer to fraudulently cause a transfer of that property. The insured has, upon receipt of an instruction, the choice to take immediate action, conduct an analysis of the instruction, or decline the instruction. That decision-making process breaks any causal nexus and thus, the loss arose from an authorized (and therefore uncovered) transfer of funds.6
The decision in Taylor & Lieberman illustrates this distinction between covered losses due to a hacking incident and uncovered losses arising from the knowing transfer of funds. In that case, the insured voluntarily transferred funds to a third party but claimed that its loss was nonetheless covered under a computer crime policy because it was induced to transfer the funds based upon information conveyed through a computer. The Ninth Circuit Court of Appeals held that receipt of an email is not an “unauthorized entry” into the insured’s computer: “T&L also argues that the computer fraud coverage applies because the emails constituted an unauthorized (1) “entry into” its computer system…. First, there is no support for T&L’s contention that sending an email, without more, constitutes an unauthorized entry into the recipient's computer system.”7
The Second Circuit Court of Appeals upheld coverage in Medidata Solutions v. Federal Insurance Company,8 but only after the insured proved that it received emails “armed with a computer code” which caused the insured’s email system to populate an email with the name, email address and photo associated with the insured’s president. The district court, however, acknowledged that the computer fraud insuring clause requires proof that the “perpetrator violate[d] the integrity of a computer system through unauthorized access.”9 The court found that the insured satisfied this standard and established coverage because the insured received spoofed emails that were allegedly “armed” with computer code.10 The Second Circuit affirmed that decision, based upon its conclusion that “spoofing code was introduced into the email system.”11
In so holding, Medidata distinguished the loss alleged therein from other social engineering schemes. The district court acknowledged the decision in Taylor, but distinguished Taylor on the basis that it addressed whether the mere receipt of email triggered computer crime coverage and held that Taylor stood for the proposition that “the mere sending of emails from the client to the accounting firm did not constitute unauthorized entry into the accounting firm's computer system.”12 That ruling, Medidata held, did not apply because “Medidata did not suffer a loss from spoofed emails sent from one of its clients. A thief sent spoofed emails armed with a computer code into the email system that Medidata used.”13
Social engineering schemes commonly involve an authorized wire transfer input released by authorized signatories. These facts, the Fifth Circuit explained, break any causal chain between fraudulent emails and the loss: “The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money.”14 Thus, traditional computer crime policies do not cover such losses: “To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster II, convert the computer-fraud provision to one for general fraud.”15
Funds Transfer Fraud Insuring Agreement
Courts have reached the same result when analyzing such claims under the funds transfer fraud insuring agreement. Subject to the specific terms of the policy, such insuring agreements typically cover fraudulent instructions issued to a financial institution directing such institution to transfer, pay, or deliver money from an account maintained by an insured without the insured’s knowledge and consent. Just as the computer crime insuring agreement is designed to cover a hacking incident, the funds transfer fraud insuring agreement is designed to cover the limited instances where an imposter induces a financial institution to allow funds to be withdrawn from the insured’s account by posing as the insured and submitting fraudulent instructions. The insuring agreement therefore will not respond where an employee authorizes a withdrawal.16 Coverage exists only if the insured demonstrates that the thief issued instructions that purport to have been authorized and the insured can otherwise satisfy the remaining conditions of coverage.17
As the cases referenced explain, the computer crime insuring agreement and funds transfer fraud insuring agreement incorporated into standard commercial crime policies are designed to cover certain types of hacking incidents, not loss resulting from the insured’s conscious decision to proceed with a business transaction (even if induced by a fictitious or fraudulent computer submission). An insured seeking to cover the risk of loss from social engineering should consider insurance policies tailored to address such risks.
Subject to specific terms of coverage within the policy, social engineering coverage expands coverage traditionally afforded under commercial crime policies to address schemes arising from the impersonation of vendors, executives, and clients. Combined with strong internal controls, such coverage enables companies to better protect themselves against the growing risk of a catastrophic loss from social engineers.
Such coverage can be endorsed onto either a commercial crime policy or a cyber insurance policy. Because commercial crime policies are oriented toward covering first-party loss, an insured may prefer to endorse social engineering coverage to that policy while preserving the liability coverage afforded under a cyber policy in the event of a breach which results in substantial liability exposure.
The Professional Lines specialists at AmWINS, in partnership with AXIS, a leading Crime insurance carrier, have developed a solution specifically tailored to address losses from social engineering attacks. This solution offers limits up to $10M for social engineering (subject to underwriting criteria), policy language that responds to social engineering fraud losses, and free social engineering training for employees, as well as a significant discount for higher level training from the world’s largest security awareness training provider.
In the second part of our series, we will identify examples of schemes employed by social engineers and how to design and implement comprehensive security practices to mitigate the risk of a loss.
About the Author
This article as co-authored by Lisa Block, vice president and national commercial crime product manager for AXIS Insurance Company, and Scott Schmookler, Esq, a partner in the Chicago office of Gordon Rees Scully Manuskhani, LLP. Scott counsels clients on insurance issues relating to commercial crime policies, cyber crime, and data breaches.
1 Recent studies illustrate the wide-ranging threat of electronic crime. 2014 U.S. State of Cybercrime Survey, available at http://www.pwc.com/us/en/increasing-it-effectiveness/publications/2014-us-state-of-cybercrime.jhtml (last visited September 3, 2014).
2 Federal Bureau of Investigation (July 2018). Business E-mail Compromise the 12 Billion Dollar Scam. https://www.ic3.gov/media/2018/180712.aspx
3 Taylor & Lieberman v. Fed. Ins. Co., 2017 U.S. App. LEXIS 4205, *3-4 (9th Cir. Mar. 9, 2017); Apache v. Great Am. Ins., 662 F. App’x 252, 258-59 (5th Cir. 2016); Kraft Chem. Co. v. Fed. Ins. Co., 2016 Ill. Cir. LEXIS 1, at *17 (Ill. Cir. Ct. Jan. 5, 2016); Universal Am. Corp. v. Nat’l Union, 959 N.Y.S.2d 849, 853 (Sup. Ct. 2013), aff’d, 972 N.Y.S.2d 241, 242 (App. Div. 2013), aff’d, 37 N.E.3d 78, 81 (N.Y. 2015); Great American Ins. Co. v. AFS/IBEX Fin. Servs., Inc., No. 07-cv-924, 2008 U.S. Dist. LEXIS 55532 at *45 (N.D. Tex., July 21, 2008); Pinnacle Processing Group, Inc. v. Hartford Cas. Ins. Co., 2011 U.S. Dist. LEXIS 128203, 2011 WL 5299557 (W. D. Wash. Nov. 4, 2011).
4 Pinnacle Processing Group, Inc. v. Hartford Cas. Ins. Co., 2011 U.S. Dist. LEXIS 128203, 2011 WL 5299557 (W. D. Wash. Nov. 4, 2011) (rejecting the insured's contention that computer fraud coverage is implicated simply because a computer was used in the scheme).
5 Brightpoint, Inc. v. Zurich Am. Ins. Co., No. 1:04-CV-2085, 2006 U.S. Dist. LEXIS 26018 (S.D. Ind. Mar. 10, 2006).
6 Id.; see also Pestmaster Serv. v. Travelers Cas. & Sur. Co. of Am., CV 13-5039-JFW, 2014 U.S. Dist. LEXIS 108416 (C.D. Ca., July 17, 2014).
7 Taylor, 2017 U.S. App. LEXIS 4205 at *3.
8 268 F. Supp. 3d 471 (S.D.N.Y. 2017), aff’d, 729 Fed. Appx. 117 (2d Cir., July 6, 2018).
9 Id., 268 F. Supp. 3d at 480.
11 Id. at 118; see also American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, 2018 U.S. App. LEXIS 19208 (6th Cir., July 13, 2018) (finding coverage under policy coverage “use of any computer to fraudulent cause a transfer of Money, Securities or other Property….”, on the theory that transmittal of email involved the use of a computer).
12 Id., 268 F. Supp. 3d at 480.
14 Apache, 662 F. App’x at 254. Principle v. Ironshore, 2016 WL 4618761 (N.D. Ga. 2016) cited the district court’s decision Apache v. Great Am. Ins., 2015 U.S. Dist. LEXIS 161683 (S.D. Tex. Aug. 7, 2015). The district court’s decision in Apache was subsequently reversed by the Fifth Circuit (662 F. App’x 252, 258-59 (5th Cir. 2016)). Principle is currently on appeal.
15 Id. at 258.
16 Black’s law dictionary defines a “fraudulent act” as “[c]onduct involving bad faith, dishonesty, a lack of integrity, or moral turpitude.” Black’s Law Dictionary 687 (8th ed. 1990). This definition requires proof of an intent to deceive: “mere irregularities committed without such intent do not constitute acts of fraud or dishonesty.” 13 Couch, Insurance 2d, § 46:55, p 58.
17 Sb1 Fed. Credit Union v. FinSecure, LLC, NO. 13-6399, 2014 U.S. Dist. LEXIS 49596 (E.D. Pa. Apr. 9, 2014); Morgan Stanley Dean Witter & Co. v. Chubb, 2005 N.J. Super. Unpub. LEXIS 798 (N.J. App. Div. Dec. 2, 2005); Northside Bank v. American Cas. Co. of Reading, No. GD 97-19482, 2001 WL 34090139 (Pa. Commw. Pl. Jan. 10, 2001).
Legal Disclaimer. Views expressed here do not constitute legal advice. The information contained herein is for general guidance of matter only and not for the purpose of providing legal advice. Discussion of insurance policy language is descriptive only. Every policy has different policy language. Coverage afforded under any insurance policy issued is subject to individual policy terms and conditions. Please refer to your policy for the actual language.
(c) 2017 AmWINS Group, Inc.
Employment practices liability (EPL) insurance in the U.S. marketplace has always been affected by social trends. This article explores the top factors influencing buyer behavior, product development and underwriting appetite associated with EPL coverage.
Warehouse Legal Liability is a complicated line with many gray areas and multiple interpretations of its coverages. This article discusses coverage triggers, legal vs. contractual liability and the importance of warehouse receipts.
In the current economic climate, many small businesses are struggling and some may even fail. Despite these challenges and the continued hardening market, there is opportunity for retailers to write and retain business. This article provides guidance on navigating the complex small business marketplace and helps retailers fine tune their understanding of what insurable risks will look like over the next 12 to 24 months.
Product recalls are one of the most damaging events a business may encounter. In order to effectively respond to an incident, companies must be prepared with proper risk management strategies. As policy wording varies, it's also critical to ensure your clients have the right policy type in place to appropriately address their first- and third-party exposures.
Court rulings, have extended the Americans with Disabilities Act (ADA) to apply to websites that are "heavily integrated" with and serve as a "gateway" to a physical stores/services. As a result, companies are now finding themselves targets for ADA claims based on the inaccessibility of their websites and media by those who are disabled.
Our Q2 2020 State of the Market report provides a holistic view of highly impacted industry segments as well as overall market trends. This report is designed to help our retailers gain the knowledge they need to retain accounts, write new business, overcome challenges and capitalize on opportunities that do exist.
Severe weather can be unpredictable and strike at any time. Help your clients be prepared in the event their property is damaged by a hurricane, tornado, hailstorm or similar disaster with these 10 catastrophe claim tips.
As a result of the COVID-19 crisis, our industry is facing a broad array of challenges that impact insureds of every size and in every industry. In the first of a series of webinars, we hear from an economist on the financial impacts of COVID-19 and what we can expect in the future. This webinar is intended to complement your conversations with clients about how to plan for the next 12 to 24 months.
This podcast features an update from John Neal, CEO of Lloyd’s, on the state of the Lloyd's market and their response to COVID-19 as well as a panel discussion with London Property underwriters on how they view the pandemic's impact both the Property sector and their syndicate's business.
This podcast features an update from John Neal, CEO of Lloyd’s, on the state of the Lloyd's market and their response to COVID-19 as well as a panel discussion with London Casualty underwriters on how they view the pandemic's impact both the Casualty sector and their syndicate's business.
This podcast features an update from John Neal, CEO of Lloyd’s, on the state of the Lloyd's market and their response to COVID-19 as well as a panel discussion with London Professional Lines underwriters on how they view the pandemic's impact both the Professional Lines sector and their syndicate's business.
Ninety-eight percent of all United States counties were impacted by a flood event in 2018, yet many property owners remain unaware of their true risk of flood or what their existing policies cover. This article highlights key statistics about flood risk and outlines the differences between the National Flood Insurance Program and private market flood insurance.
The COVID-19 crisis has created a rapidly changing environment for the Professional Lines market. With the uncertainty of how claims will develop and the potential for increased exposure, retailers must be proactive. In this article, AmWINS specialists share their insights on why this is more important now than ever, including reactionary underwriting trends, D&O policy exclusions and impacts to EPLI, as well as the threat for increased cyber attacks and crime losses.
Loss of revenue caused by stay-at-home orders due to the coronavirus pandemic has affected small businesses and the insurance industry serving them significantly. As retailers and carriers prioritize their focus to adapt to the “new normal” of daily transactions, underlying market dynamics remain unchanged. In this article, our experts share their insight on the current changes that we are seeing the small business and personal lines market, and how to navigate the market a this time of uncertainty.
The disruptive impact of the COVID-19 outbreak on supply chains is already having a pronounced effect on the world of logistics and logistics insurance. Port closures, demand surges and production shifts are requiring nimble response to keep up with change. This article arms insurance brokers with the information needed to understand the changes taking place and plan for what is likely to occur in the months ahead.
The Casualty market’s response to COVID-19 is continuously evolving. With a wide array of factors already impacting this sector pre-crisis, segments of the Casualty marketplace are responding to the pandemic differently. In this article, our industry specialists share overall themes in the Casualty market and take a closer look at how various segments are being impacted.
The COVID-19 pandemic is causing historical disruption to the construction industry. These changes mean that risk mitigation strategies need to be implemented or revisited, policy language should be reviewed, and carriers should be apprised of all changes at the work-site. In this article, AmWINS specialists examine the major areas of concern for Builder’s Risk insureds, including government-mandated shutdowns, supply chain-driven slowdowns and policy wording that could limit coverage, and provide guidance for retailers to achieve the best results for their clients.
For decades, the logistics insurance market has been considered a sub-market of the cargo or ocean marine market. However, the continual rise of e-commerce and its effect on the global supply chain has carved out a complex and expansive industry niche. This article provides insight into the various lines of coverage, the specialized underwriting approach, and rate surges within the U.S. logistics insurance market.
During the COVID-19 pandemic, Lloyd’s remains open for business and syndicates have successfully transitioned to working from home. However, there are notable changes in how the London market is approaching business. In this article, specialists from THB, AmWINS’ London broker, share their insight on consistent themes across the London Market as well as updates on various lines of business.
There have been a lot of questions regarding COVID-19, in particular about coverage and claims handling. This claims advice is intended to offer guidance to help our retail clients through these difficult times.